ietf-asrg
[Top] [All Lists]

[Asrg] Re: 2a. Analysis - Source - Open Relays and Proxies (was Re:

2003-10-27 15:46:35
I have adjusted the Subject.

On Fri, Oct 24, 2003 at 02:12:35PM -0400, David Maxwell wrote:
In your original message, Message-ID: 
<20031023183955(_dot_)GD18651(_at_)Space(_dot_)Net>
you said:
Which is worthless if it was injected via an open relay.
                                               ----------
I replied about open relays, and even said (included below) that if you
want to talk about open _proxy servers_ that that is a different
discussion, and that I agree that it's a problem.

What you didn't took into account is that spammers even use open proxy
servers to feed open relays.
We had a customer that had a machine with a wrongly configured Apache
proxy. One could clearly see that the attacker first scanned the /24
subnet where the Webserver was in for open SMTP ports. Next the attacker
scanned all of our mailservers to check whether the machine was
whitelisted for relaying and he found the machine and had time to inject
about 1000 messages before our watchdogs notified us and we cut it off.

So the two problems are related

Open relays and open proxies are different discussions with regard to
whether a 'useful' IP address will have been included in message
headers. For relays, it will, for proxies, it won't.

Even for relayed messages they won't, see above.
But I get your point and we could now start a lengthy discussion about
slightly different definitions of relay open mailservers. The problem
however remains the same:
   You can trust at maximum one hop further to the source of the spam
   as the last mailserver under your control. And you definitely cannot
   travel back to the origin and put full trust into "this is the source"
   just from the information in the mail header. Never (unless it's your
   own message of course, but you probably won't see this just from the
   header either).

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>